A company is setting up its GCP Organization. They have three main departments: HR, Finance, and Engineering. Engineering has two sub-teams: Dev and QA. They want to apply a policy that prevents the creation of public IP addresses for all Engineering projects, but allows it for HR and Finance. How should you design the resource hierarchy and policy?

Apply the Organization Policy at the Organization node and use IAM to grant exceptions to HR and Finance.

Create Folders for HR, Finance, and Engineering. Apply an Organization Policy constraint to the Engineering folder to disable external IPs.

Create a custom IAM role that denies public IP creation and assign it to all Engineering users.

Apply the constraint individually to every project inside the Engineering department.